On Mon, Dec 23, 2024 at 12:29:09PM +0100, Julian Andres Klode wrote: > On Wed, Dec 18, 2024 at 12:02:18AM +0100, Julian Andres Klode wrote: > > On Tue, Dec 03, 2024 at 04:34:52PM +0100, Julian Andres Klode wrote: > > > On Thu, Nov 21, 2024 at 09:16:20PM +0100, Julian Andres Klode wrote: > > > > I've just finished more or less, adjusting the APT test suite > > > > to test gpgv-sq. I plan to upload APT that tests gpgv-sq > > > > tomorrow. This ensures full compatibility between apt and > > > > gpgv-sq going forward. > > > > > > > > After that migrates to testing next week, I want to make > > > > the switch: APT by default should use gpgv-sq. Previous > > > > discussions with the security team did not reveal any > > > > blockers for that, despite the strenuous nature of > > > > security updates for Rust packages. > > > > > > This has been delayed. There's ongoing investigation into > > > sqv and sqopv, which are smaller verifiers from Sequoia, > > > measuring only 2MB and without an SQLite dependency, hence > > > saving about 6MB. > > > > An sqv backend is now available in apt-team/apt!409 and in > > experimental in apt 2.9.17+exp1. > > > > Note that the experimental upload only supports architectures > > with sqv available. There is no fallback yet. > > > > The plan is to detect if sqv is available at build time, by > > build-depending on sqv for the correct set of architectures, > > and then generate a `Depends: sqv` for those architectures, > > and `Depends: gpgv` for other (ports) architectures. > > > > The sqv binary is about 2MB large when optimized for size, > > and provides good feedback when a key cannot be verified. > > The Sequoia sqv backend is now the default backend in unstable > for architectures that have it (all release architectures, most > ports). > > 2.9.19 also replaces internal GnuTLS and gcrypt use with OpenSSL, > and all use of GnuPG in the test suite with Sequoia's `sq` command. > > There is a backwards-incompatible change: Signed-By can no > longer contain an exact subkey match (suffix "!"). That > information is - rightly so - not available in the sqv > output.
Space consumption, with apt from experimental: 105M experimental.min.tar 192M experimental.tar 114M unstable.min.tar 196M unstable.tar i.e. we see a 9MB saving for essential+apt, and a 4MB saving for a default mmdebstrap. Something still pulls in gpgv there which is unfortunate, we lack a 5MB savings. More savings can be achieved by building sqv using openssl, then we stop pulling in nettle. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
signature.asc
Description: PGP signature
